Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Critical Vulnerability in PHPMailer. Affects WP Core.

A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski. The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included.

Unfortunately someone posted a proof of concept to exploit-db and to github a few hours ago demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.

We are publishing this unscheduled update to give PHP developers and our community advance warning of this issue. We expect this story to continue to evolve rapidly as more developers and malicious actors look at this code.

Don’t Panic

NOTE: There is no known exploit publicly available for WordPress core or any WordPress theme or plugin at this time. The only exploit we have seen is where a researcher has built their own application and then exploited it, demonstrating the existence of this vulnerability in PHPMailer. (Details below)

Please don’t contact the WordPress core team, WordPress forum moderators or anyone else panicking that your WordPress site will be exploited. This research is currently ongoing and we are making you aware of this issue early for two reasons:

So that you can be ready to upgrade WordPress core and any other affected themes and plugins if you are a user, once a fix is released.

So that, if you are a developer who has used a vulnerable version of PHPMailer, you can start patching your code and get a release out to your customers.

The Details

If you are unfamiliar with RCE vulnerabilities, they are a worst-case-scenario. All of the worst vulnerabilities in the history of WordPress have been remote code execution vulnerabilities. They allow an attacker to execute their own code on a victim website and thereby take control of the website.

We have performed a brief analysis on the affected code in PHPMailer. To exploit this vulnerability, it appears that an attacker would need to be able to control the sender email address.

A snippet of the vulnerable code in PHPMailer and the fixes is shown below.

In the vulnerable version of PHPMailer, the sender email address is passed unescaped to a shell command. An attacker could include shell commands in the sender email that execute malicious code on a target machine or website.

What to do

We’re sending out this email as an early warning for our subscribers and customers. The WordPress core team are currently working on a fix that will be included in a WordPress core security release. There is also no word on timing but it may be as soon as within 24 hours.

Please update to the newest version of WordPress core as soon as it is released.

If you are a WordPress theme or plugin developer and have included your own copy of PHPMailer in your plugin or theme code, you need to update to PHPMailer 5.2.18 or newer immediately and release a fix to your customers.

More information and discussion

An issue in WP core was opened about 4 hours ago that included a patch to fix this issue. It updates WP core from using PHPMailer 5.2.14 to 5.2.19. This is just a proposed patch, not the final fix.

You can find the code changes on github showing the changes in PHPMailer to fix this issue. They make it fairly clear the issue is with the sender email address being sent to a shell command unsanitized.

A basic proof of concept exploit has also been posted to exploit-db which links to a more detailed demo of this exploit in action on github. The researcher has built their own web application which is vulnerable to this exploit, and then created an exploit for their own app. This is clearly not a real-world PoC, but it demonstrates the weakness in PHPMailer and paves the way for real-world exploits to emerge.

“The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities.”

Update Tuesday Dec 27th at 5:34am PST: The researcher has now released full details of this exploit including the specific weakness in PHPMailer that is used to gain remote code execution. They have not yet released the exploit they have for a “popular open source application”.

Update Tuesday Dec 27th at 8:14pm PST: There appear to still be security issues with PHPMailer that need to be fixed, as discussed on the oss-security mailing list.

Update Tuesday Dec 27th at 11:19pm PST: The researcher has now posted a new 0day bypass for PHPMailer v5.2.19 and older. According to the researcher, the 0 day was disclosed because there had been a public discussion on the oss-sec list about a potential bypass that made it public. Disclosing a zero day vulnerability is unusual for an ethical researcher, but in this case it’s excusable because the exploit became public through public discussion. It also helps vendors fix and test their products more effectively. So while this is unusual and potentially controversial, we think it’s an acceptable action in this case.

This is a vulnerability in a library that is used by developers, not a known exploit in a specific application. I want to be very clear on the next point: If you are a regular WordPress user, the only thing you need to do is to upgrade WordPress core ASAP when a security release is fixed, and upgrade any other plugins, themes or applications you have as soon as they release a security fix.

We aren't currently aware of any exploits that target widely used applications. As they emerge we will be releasing new firewall rules to our customers in real-time to protect you. (Assuming you use Wordfence Premium)

This is an advance warning of updates to come for users - and we're also making developers aware of the issue so that they can update their phpmailer libraries.

That will ensure your WP core is updated automatically when a security release goes out. If your theme or plugins aren't updated automatically then keep an eye out for security updates during the next few weeks. Same applies to any other PHP applications you have - like phpmyadmin, mediawiki, Joomla, Drupal etc. I don't know how many of them use phpmailer, but this is going to affect a lot of code.

It doesn't look like I have anything to worry about, but It's good to know the Wordfence team are so quick off the mark to give us all the heads up about potential exploits like this, even when most people are relaxing on their holidays. I will keep a close eye out for the upcoming WordPress security update.

Thank you for the warning. It's this level of vigilance towards emerging security threats that makes me feel confident in using Wordfence as my WordPress site's security plugin.

That exploit is not written by the author of the original research. The vulnerability was only announced yesterday. The original researcher made it clear they were not releasing their exploit yet. They also indicated that they have an exploit for a "popular open source application".

The person who wrote the above rushed this out to, most likely, draw attention to themselves.

So I wouldn't rely too heavily on that research or any caveats/requirements that they mention.

I would definitely want to review any code that uses phpmailer on a case-by-case basis. But I'd say as a general statement: Any application that uses phpmailer and does not allow a user (registered or unregistered) to specify the sender email address, is probably not going to be affected by this.

I haven't used that feature in Jetpack, but I'd say that if they don't allow site visitors or non-admin users to specify the sender email address, then that feature is probably safe.

This isn't the WP core dev or any WP dev's fault. This is what happens when you're a really big and popular target. WP has a lot of code and a lot of plugins, themes and utilities. Of course there are going to be a lot of vulnerabilities found and occasionally exploited. The trick is to create awareness about the issues and respond quickly.

I know the WP core team is working hard on any issues that need to be addressed - probably through the holiday. I've seen some activity on Slack indicating that.

I'm sure any other devs who are affected are rushing to release a fix asap.

We're doing our part and the community can help by spreading the word and creating awareness so we can all upgrade smoothly and quickly where needed and move on to something more fun and productive.

So, there were 2 "researchers"? Did either of them reach out to the responsible party for the mailer library? My initial reaction is that someone without integrity is trying to make a name for themselves. Otherwise, there wouldn't need to be any sort of scramble.

If you're running the newest WordPress it is going to be a vulnerable version of PHPMailer. But WordPress should be releasing a security update soon.

You should also know that there are no known vulnerabilities or exploits for WordPress core at this time. They're just using an old version of PHPMailer that may lead to exploitable vulnerabilities in the near future and so this is an alert to upgrade as soon as you see a new version of WordPress core released.

Looks like this is a product called 'patchman' that is making these modifications. It's a security product that some hosting providers use.

This is super aggressive and not something we would do or recommend. They've clearly rushed out a security patch and it's a duplicate of what the WP core team is about to release.

It is also patching files that don't actually have a known exploit. Yes they use the older PHPMailer that has security issues, but we aren't aware of any exploits in the wild yet for WP core or plugins or themes.

If you have been affected by this, I'd recommend you just 'ignore' the change in your scan results. Then wait for the WP core release which will probably overwrite those changes.

It says it's sent "unescaped to a shell command", can't you just turn off shell access for all user accounts on a cpanel server to stop any attack from this particular threat (it's my hosting server, users don't need shell access anyways) or is a different kind of shell access it is using at the PHP level?

Correct Tommy, it is shell access at the PHP level that they're referring to. Most programming languages have a way for you to execute shell commands programatically. Sometimes you can fool the application into executing your own shell command if you're an attacker. That usually happens if the developer hasn't escaped user input correctly that they're sending to a shell command. That is what is happening in this case.

"Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions. A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors."

Starting to get a little cloudy for me. How, exactly, will the final fix to Wordpress core appear? All my sites getting the error message in Wordfence about Core file having changed. How will I know when/how to fix it? I thought surely by now it would have been released.

That's Patchman's fault. Contact your hosting provider or patchman.io. It has nothing to do with the core developers or the Wordfence team. The patchman team have released that patch which modifies your code. It's a product your hosting provider uses.

First, I am very impressed with Wordfence.com putting out this notice and keeping it updated in a proper timely fashion. Does anyone know if/when Wordpress will be sending out the update? I still haven't seen one come out ...

Tell us again how it benefits us to have legal hackers digging for issues, then making that information public before patches are developed? You left millions of sites sitting ducks, with lower level hackers beating the bushes to attack as many as possible through the hole you just published. Notoriety for finding holes also isn't such a good idea until down the road; it just makes the tech more anxious to get the word out to the public. FYI: PHPMailer has always been a concern; that should have been made common knowledge years ago. But concerns about holes should be address between organizations and notices distributed only as patches are released. Otherwise, we're all of a sudden liable, with no recourse.

PHPMailer is an open source project. It's not proprietary where development happens behind closed doors. The public contributes and everyone can see much of the discussion and the commits as they are added. So hackers can see the fixes as they are discussed and added and before they are released.

Well, I do my best to explain it in plain english, but it doesn't translate for all users. To exploit a SQL injection vulnerability an attacker needs the website to be running a vulnerable theme or plugin that has a sql injection vulnerability.

Thanks for the info. My Wordfence plugin keeps telling me that the class-phpmailer.php file has been changed. The change does not match the one mentioned in the post above. I keep changing it back to the original one and there has not yet been a WP update... am I doing the right thing or is the changed file a fix of sorts...?

Jeez, people, you need to start reading these posts and comments!!! Guess what!? Someone already asked that.... and someone else... and then someone else. I bet Wordfence team has better things to do than replying to the same f...g question all day long!!!
Sorry, it just sooo annoying to read the same question over and over.

Thanks for your reply. I'm sorry if reading my comments upsets you so much. You don't have to read it, you could just skip past? The fact is that I still don't actually understand the reply or the reply to the other comments. I'm afraid that I'm a complete novice at this. I think I'll try and find some help in a friendlier and more tolerant place.

(rought paste follows, see link for original)
The WordPress Security team is aware of the PHPMailer issues. We've been in contact with the author and security researchers and discussing the fixes.
Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.
The upcoming 4.7.1 release will contain mitigation for these issues, we're committed to only shipping secure libraries with WordPress - regardless of whether we use the feature or not.
We don't have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.

I'm the maintainer of PHPMailer, so I've been busy lately. I thought I'd drop in and answer a few of the questions posted here.

First of all, some assurances: if you don't use user-supplied from addresses (and you shouldn't be anyway), you're not vulnerable. If you're using SMTP or sendmail (not mail()) to send, you're not vulnerable. If you're using postfix, you're safe too.

The primary cause of the first vulnerability (CVE-2016-10033) was not taking into account that a fully functional, validated and RFC-compliant email address (as the sender address in PHPMailer is) could also be an attack string in a shell context. This has parallels with SQL injection strings - it could be entirely harmless in a shell, but lethal in an SQL context.

This vulnerability was fixed in PHPMailer 5.2.18.

The second vulnerability (10045) related to the interaction of PHP's shell escaping functions. This was not fixed as such (because it's a bug in PHP, not PHPMailer), but it was worked around and made safe in 5.2.20. As a side-effect, complex sender addresses will no longer work. If you need VERP addressing (the kind of thing you need complex sender addresses for), I recommend you use SMTP, which is also faster. The format of From and To addresses remain unchanged, because they have no bearing on the vulnerabilities.

The premature posting of an exploit was unhelpful, and did result in a 'scramble', but it was not done by the researchers involved in reporting the vulns.

The roundcube bug was the same as CVE-2016-10033 in PHPMailer. These same vulnerabilities have been found (some by the same researchers, at the same time) in other popular PHP email libraries, and I expect many applications that don't use libraries have done the same and will need to be fixed too. For example, this was just announced: